Spotlight: Cyber - How have cyber risks changed since the Covid-19 pandemic started?

Shifting almost overnight to remote working in March proved to be a challenge for many organisations, but also a prime opportunity for the cyber criminals. “At home, employees don’t have their colleagues around them to sense check an email,” says David Warr, cyber underwriter at QBE Europe. “They might also be juggling other commitments such as looking after a child or an elderly relative, so their concentration isn’t where it would be in the office. Unfortunately, human error is behind many of the successful cyber attacks.”

Gone phishing

The cyber criminals took advantage of this, launching phishing attacks that prayed on employees’ fears. Examples include emails offering Covid-19 related tax relief; links to masks and hand sanitiser; and warnings about fines for breaking lockdown rules. “It’s been a hacker’s paradise,” says Ashwin Mistry, executive chairman of Brokerbility and BHIB Insurance Brokers. “They really sought to exploit vulnerable home workers.”

Weaknesses in cyber security were also exploited. Although many firms had addressed this as remote working was already part of their business model, for some, relocating their employees to their homes presented an IT nightmare with new vulnerabilities through home Wi-Fi setups.

Even where home working networks were already relatively secure, Nigel Pearson, group cyber director at RSA, says that the demand for new technology such as video conferencing platforms still created problems. “It’s fine if this is set up correctly but, if not, it offers the cyber criminals another potential point of entry into the organisation’s network,” he explains. “We also saw instances where the IT department was so focused on keeping the business going, employees were less likely to turn to them if they saw something unusual. It was a challenging time.”

Ransom demands

While the criminals may have seized the opportunity to exploit the change in working patterns, ransomware remains the primary concern for the cyber insurance market. Lindsey Nelson, cyber development leader at CFC Underwriting, says the attacks are now a lot more sophisticated than when this form of cyber attack first hit the headlines in 2017 with the Wannacry and Not Petya attacks.

“The cyber criminals used to adopt a spray and pray approach but it’s much more targeted now,” she explains. “They’ll research the company and set the ransomware at an appropriate, and generally much higher, level.”

To illustrate this, she points to a case where a policyholder received a ransom demand for £1m. They refused to pay but the cyber criminal simply sent them a copy of their financial statements, showing them that they knew they had the funds.

Also helping the criminals to extract more cash out of their targets, the threats associated with ransomware have evolved. “It used to be all about encrypting systems and preventing access, but they’re more likely to take a two-pronged approach now,” says Thomas Clayton, cyber team leader at Zurich Insurance. “As well as preventing access, they’ll also deploy data exfiltration, stealing personal data held by the company and threatening to publish it if the ransom isn’t paid. This introduces another layer of reputational risk as well as a potential data protection fine and notification costs.”  

As well as becoming more sophisticated, ransomware has also become more common. Pearson describes it as the industrialisation of ransomware. “Five years ago, only a few groups were able to carry out such sophisticated ransomware attacks,” he explains. “Now, the criminals have shared their knowledge through the dark web. The threat landscape is much worse.”

Claims crunch

Unsurprisingly, this uptick in cyber attacks is feeding through into the insurance space with this highlighted in Post’s recent survey-based research with Cyberscout. This found that since March when the UK went into lockdown, 39.2% of the insurers and brokers surveyed had seen a small increase in the volume of cyber claims. Additionally, 24.1% said they’d seen an increase in the value of these claims.  

Nelson isn’t surprised. “Cyber claims frequency has been increasing long before Covid-19 came along and has probably stabilised this year,” she says. “However, the size of these claims has skyrocketed as a result of the increase in the severity of demand.” 

While the hackers behind 2017’s Wannacry attack asked for ransoms of $300 to $600, Nelson says demands start at $1m minimum now and she’s even some as high as $20m. “Add on the forensic and legal costs and it’s not surprising that claims costs are escalating,” she adds.

Seeking cover

Against this backdrop, interest in cyber insurance is on the up. The survey found that most respondents (89.5%) expect to see an increase in sales of cyber insurance over the next 12 months, with 19.8% expecting growth to be in excess of 15%. 

Warr isn’t surprised by this and says that many companies that have been looking at cover over the last couple of years are now reaching the point where they take it out. Similarly, Nelson says that, with so many losses affecting the market, she’s seen interest from companies that have been stung and now want cover. 

Neil Arklie, head of cyber insurance at Aviva, also believes momentum is gathering in the cyber insurance market. “It’s an automatic purchase for FTSE 100 companies but we’re seeing more interest now from smaller companies,” he explains. “It will end up as a standard part of the insurance programme. We’ve seen that happen in the US, where it’s often sold as part of a packaged product and I expect the same will happen here.”  

It’s also becoming a necessary part of doing business. Clayton says that more companies are making it a contractual requirement, forcing their suppliers to take out cover or look for work elsewhere.

There are some obstacles in its way. Trust is an issue, with the research finding that 38.4% thought the dispute over business interruption claims validity would make it more difficult to sell cyber insurance products. Interestingly, 11.5% thought it would actually make it easier.

Financial pressures, often exacerbated by Covid-19, are also likely to slow sales growth. “It’s still a difficult upsell,” says Mistry. “The economy is slowing down and people don’t want to pay more than they have to for insurance.”

Given that rates are hardening across other lines of business, finding the additional money for cyber insurance will become increasingly challenging. 

Risk register

While there are some obstacles, the fact that cyber risks have moved up the corporate agenda supports the potential for sales growth. This was highlighted in the research, which found that 80.2% of respondents thought employers are placing a higher priority on cyber risks post Covid-19. Just 4.7% thought these risks were now considered a lower priority.

The rise up the corporate risk agenda is something observed by the insurers too. As an example, Neil Clutterbuck, chief underwriting officer at Allianz, points to Allianz’s Risk Barometer. “Seven years ago, cyber risk was only ranked 15th whereas in January of this year it topped the global survey,” he says. “Since then the pandemic has further accelerated both the risk and the awareness. It should be seen as a key catastrophic risk for businesses of all sizes.”

Alongside the heightened awareness of the risks, there’s also much more publicity around cyber attacks. “Thanks to the General Data Protection Regulation, there’s a lot more coverage of data breaches and cyber attacks,” says Mistry. “In addition, insurers are sharing examples of smaller companies suffering losses. It’s a recognised risk now, not just something that’s perceived as only happening to large organisations.”

Fines, which are set at a maximum of 2% of annual global turnover under GDPR, also help to sharpen the focus. As these increase – for example, in 2019 the Information Commissioner’s Office announced its intention to fine British Airways £20m for poor security standards – it gets harder to ignore.

Getting personal

Corporate cyber risk focus might be sharpening but the research also found that, as the line between individuals’ home and work lives became more blurred, respondents can see potential for a personal lines product. When asked whether they thought individual consumers would be more likely to take out personal cyber cover, 46.5% say slightly more, and a further 10.5% say much more.

Although some personal lines products are available, largely in the high-net-worth market, it’s failed to gain much traction as a mass market option. Finding the right way to package it remains a challenge. “The potential exposure for individuals is much lower than for corporates but they could still be looking at a bill for a few hundred pounds if their laptop is encrypted or more if the criminals get hold of their personal data and steal their identity.”

He believes that a personal lines policy that provides access to legal advice and some cover for losses could work well. “If I could buy as an add-on to my household policy for £50 to £100 a year I probably would,” he adds.   

The future of work dynamic may also hold the key to unlocking the personal lines market. While corporate cyber policies cover any losses that an employee may incur while working, even on their own devices, they may be an ideal vehicle to distribute personal cover. Clayton is sceptical. “The exposures and underwriting on corporate and personal lines cyber products are so different,” he says. “You’re also looking at very different appetites for retaining risk.”

However, Nelson is more optimistic. She believes that insurers could develop a personal lines product that could be offered as a benefit to employees to cover their personal exposure. Knowing they worked for a company that took cyber risk seriously would give some additional confidence to the underwriters.

Risk management

While a personal lines cyber product may require more work, the research found that most respondents are expecting to see more demand for cyber risk management services in the next 12 months. Overall, 83.7% of respondents expect to see an increase.

This is something Jaini Gudhka, senior risk manager at QBE Europe, has already observed. “We’re seeing more demand from businesses and brokers for risk management services,” she says. “For policyholders and prospects, we recommend a risk assessment to understand exposure and security issues. We also provide our policyholders with bulletins, alerting them to any emerging risks or changes in the cyber landscape, and best practice guidance, including, as an example, a guide to how to support remote working.”

Training is another area which has seen demand rise, with Arklie encouraging companies to educate employees about cyber security, whether they’re working at home or in the office. “Understanding the importance of basics such as backing up data and having a firewall running and patched can make a big difference,” he adds. “I’d also encourage companies to achieve the cyber essentials. Research by Lancaster University found that it can help companies avoid 99% of cyber attacks.”

Future market

As well as supporting businesses, especially in the SME sector, risk management could also prove invaluable to the cyber insurance market. “Insurers can’t fund the potential losses with a limited pool,” says Mistry. “Risk management is essential to them too.”

The insurers agree. “Some markets are pulling out of cyber as the losses build against low prices,” says Nelson, who expects there to be a readjustment on rates and a tightening of cover by certain markets. “Insurers need to invest in risk management and claims infrastructure to help control an incident when it happens. We also need to use the data we have to understand policyholder vulnerabilities and get one step ahead of the hackers.”

Clayton also believes the cyber risk market is approaching a turning point. “The pandemic is a blessing and a curse,” he says. “Organisations are going through short-term pain as they adapt to the Future of Work but it will lead to much greater adoption of cybersecurity. We’ll look back and see this as a sea-change moment.”